b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Inspections and Special Inquires\n\n\n\n\nInspection Report\nInternal Controls over Computer Hard\nDrives at the Oak Ridge National\nLaboratory\n\n\n\n\nINS-O-10-03                          August 2010\n\x0c                                 Department of Energy\n                                     Washington, DC 20585\n\n                                        August 16, 2010\n\n\n\nMEMORANDUM FOR THE DIRECTOR, OFFICE OF SCIENCE\n\n\n\nFROM:                    Sandra D. Bruce\n                         Assistant Inspector General for Inspections and Special Inquiries\n\nSUBJECT:                 INFORMATION: Inspection Report on \xe2\x80\x9cInternal Controls over\n                         Computer Hard Drives at the Oak Ridge National Laboratory\xe2\x80\x9d\n\nBACKGROUND\n\nThe Department of Energy\xe2\x80\x99s (Department) Oak Ridge National Laboratory (ORNL) in Oak\nRidge, Tennessee, provides unique expertise in support of the Department\xe2\x80\x99s science and national\nsecurity portfolios. UT-Battelle, LLC, manages ORNL for the Department through the Oak\nRidge Office. ORNL\xe2\x80\x99s mission frequently involves producing and receiving sensitive electronic\ninformation, data which requires special handling to protect against unauthorized disclosure. Of\nits approximately 16,400 computers, over 6,200 produce, store or transfer sensitive unclassified\ninformation, such as Official Use Only and Personally Identifiable Information (PII) (e.g. name,\nsocial security number and medical history). Department guidance requires that storage media\nno longer in use, but previously used to process sensitive unclassified information, be either\nprotected by approved encryption or tracked and controlled until purged or destroyed. After\nreceiving an allegation that computer hard drives were being removed by unauthorized\nindividuals, a practice that could potentially result in the unauthorized release of sensitive\nunclassified information, the Office of Inspector General initiated an inspection to review the\nfacts and circumstances of the allegation.\n\nRESULTS OF INSPECTION\n\nWe concluded that ORNL did not have adequate internal controls to effectively track and control\nhard drives which potentially contain sensitive unclassified information. Specifically, ORNL\nhad not implemented controls to encrypt, or track and control, hard drives that may contain\nsensitive unclassified information. Division Computer Security Officers (DCSOs), who are\nresponsible for identifying and addressing computer security concerns, informed us that they\nrecovered hard drives from unsecure locations, such as unoccupied offices, hallways, and docks.\nAlso, after recovering these hard drives, the DCSOs told us that they could not give us an\naccurate count of the number of hard drives in their possession. To clarify the scope of this\npotential vulnerability, we requested that ORNL conduct a survey to account for the total number\nof hard drives secured by the DCSOs. In response to our request, ORNL identified\napproximately 1,500 hard drives that were secured and stored by ORNL DCSOs at the site. In\nreviewing the survey results, we noted significant disparity between the number of hard drives\n\x0c                                                2\n\nestimated by the DCSOs and the actual number recovered. Although the DCSOs controlled and\nstored the hard drives, they acknowledged that the hard drives had not been formally tracked, as\nrequired.\n\nWe also reviewed ORNL\xe2\x80\x99s Campus Support and Instrumentation Division\xe2\x80\x99s hard drive database.\nThe Division\xe2\x80\x99s instrument technicians are responsible for removing hard drives from excessed\ncomputers. A review of the database revealed that hard drives were missing from 424 computers\nof which 193 had been used to process information in sensitive program areas, such as the Health\nServices Division and those located in the Limited Security Area. In accordance with ORNL\npolicies, fixed (non-removable) computer hard drives are only to be removed from excessed\ncomputers by Campus Support technicians. Nothing came to our attention to suggest that there\nhad been a compromise of system information. However, the concerns raised during the\ninspection suggest that ORNL was not making the maximum use of readily available measures to\nprevent compromise.\n\nTo address these matters, we made recommendations to the Manager, Oak Ridge Office.\n\nMANAGEMENT REACTION\n\nIn comments on a draft of this report, Oak Ridge Office officials concurred with the report\nrecommendations, but took exception to some of our analysis regarding the requirement to track\nor encrypt hard drives; the finding of hard drives in unoccupied rooms; and, the unauthorized\nremoval of hard drives. We addressed management\xe2\x80\x99s concerns in the report.\n\nAttachment\n\ncc:    Deputy Secretary\n       Under Secretary for Science\n       Chief of Staff\n       Director, Office of Risk Management, CF-80\n       Manager, Oak Ridge Office\n       Team Leader, Office of Risk Management, CF-80\n       Audit Resolution Specialist, Office of Risk Management, CF-80\n\x0cREPORT ON INTERNAL CONTROLS OVER COMPUTER HARD\nDRIVES AT THE OAK RIDGE NATIONAL LABORATORY\n\n\nTABLE OF\nCONTENTS\n                OVERVIEW\n\n                Introduction and Objective             1\n\n                Summary                                1\n\n\n                DETAILS OF FINDINGS\n\n                Inadequate Controls Over Hard Drives   4\n\n                Other Matters                          8\n\n\n                RECOMMENDATIONS                        8\n\n\n                MANAGEMENT AND INSPECTOR COMMENTS      9\n\n\n                APPENDICES\n\n                A. Scope and Methodology               11\n\n                B. Prior Reports                       12\n\n                C. Management Comments                 13\n\x0cOverview\n\nINTRODUCTION    The Department of Energy\xe2\x80\x99s (Department) Oak Ridge National\nAND OBJECTIVE   Laboratory (ORNL) in Oak Ridge, Tennessee, provides technology\n                and expertise in support of the Department\xe2\x80\x99s science and national\n                security portfolios. UT-Battelle, LLC, manages ORNL for the\n                Department through the Oak Ridge Office. ORNL\xe2\x80\x99s mission\n                frequently involves producing and receiving sensitive electronic\n                information data, which requires special handling to protect against\n                unauthorized disclosure. Of its approximately 16,400 computers,\n                over 6,200 produce, store or transfer information, including\n                sensitive unclassified information, such as Official Use Only and\n                Personally Identifiable Information (PII) (e.g. name, social security\n                number and medical history). As part of its normal procedures,\n                ORNL excesses approximately 2,000 computers annually, many of\n                which may have processed sensitive unclassified information.\n\n                To help protect sensitive unclassified information, the Department\n                has issued specific tracking, controlling, purging and destruction\n                guidance. In addition to Department regulations, ORNL has issued\n                internal guidance and cyber security requirements which focus on\n                protecting such information from inappropriate release.\n\n                After receiving an allegation that computer hard drives were being\n                removed by unauthorized individuals, a practice that could\n                potentially result in the unauthorized release of sensitive\n                unclassified information, the Office of Inspector General initiated\n                an inspection. The inspection was initiated to determine whether:\n\n                   \xe2\x80\xa2   ORNL had adequate internal controls to track and control\n                       excessed computer hard drives;\n\n                   \xe2\x80\xa2   Internal computer hard drives at ORNL were being\n                       removed contrary to ORNL\xe2\x80\x99s cyber security policies and\n                       procedures; and,\n\n                   \xe2\x80\xa2   The circumstances surrounding the removal and disposal of\n                       hard drives at ORNL were consistent with requirements in\n                       place at the time of our review.\n\nSUMMARY         We concluded that ORNL\xe2\x80\x99s controls over the tracking of hard\n                drives, which may contain sensitive unclassified information, were\n                inadequate to prevent the unauthorized dissemination of sensitive\n                unclassified information. Specifically, ORNL had not\n                implemented controls to encrypt or track and control hard drives.\n                Department guidance requires that storage media no longer in use,\n\n\n\n\nPage 1                                               Introduction and Objective\n\x0c                                   but previously used to process sensitive unclassified information,\n                                   be either protected by approved encryption or tracked and\n                                   controlled until purged or destroyed.\n\n                                   During our review, Division Computer Security Officers (DCSOs),\n                                   who are responsible for identifying and addressing computer\n                                   security concerns, informed us that hard drives were removed from\n                                   computers without authorization, and had been abandoned in\n                                   unoccupied offices, hallways, and other locations. This was an\n                                   apparent disregard for established procedures. These hard drives\n                                   were subsequently collected and secured by the DCSOs. We\n                                   requested that ORNL conduct a survey to determine the number of\n                                   hard drives stored and secured by the DCSOs. 1 As a result of our\n                                   request, ORNL identified approximately 1,500 hard drives (which\n                                   were no longer in use) that were secured and stored by the DCSOs\n                                   at the site.\n\n                                   In January 2007, the Department issued Cyber Security Program\n                                   Chief Information Officer Guidance CS-11, \xe2\x80\x9cMedia Clearing,\n                                   Purging, and Destruction Guidance,\xe2\x80\x9d which notes that storage\n                                   media no longer in use, which was previously used to process\n                                   sensitive unclassified information, must be tracked and controlled\n                                   until purged or destroyed.2 These protective measures for sensitive\n                                   unclassified information are intended to minimize the potential of\n                                   the inadvertent disclosure of information while increasing the\n                                   difficulty of unlawfully obtaining such information.\n\n                                   We noted that ORNL policy requires full disc encryption for all\n                                   laptop computers. However, for desktop computers, ORNL had\n                                   not implemented existing Department guidance to encrypt or track\n                                   and control hard drives associated with sensitive unclassified\n                                   systems. ORNL internal policy prohibits individuals other than\n                                   Campus Support and Instrumentation Division instrument\n                                   technicians (Campus Support technicians) from removing hard\n                                   drives from computers. However, our review of the Campus\n                                   Support technicians\xe2\x80\x99 database revealed that hard drives were\n                                   removed by someone other than the authorized technicians.\n                                   Specifically, hard drives were missing from 424 computers\n                                   (11 were laptop computers) of which 193 had been used to process\n\n\n\n1\n  The total number of hard drives stored and secured included abandoned hard drives and hard drives turned in to the\nDCSOs. The survey would be beneficial in determining the accountability of hard drives which may contain\nsensitive unclassified data.\n2\n  CS-11 has been replaced by the Department\xe2\x80\x99s issued Cyber Security Technical and Management Requirements,\n\xe2\x80\x9cMedia Clearing, Purging, and Destruction (TMR-10)\xe2\x80\x9d.\n\n\nPage 2                                                                                                Summary\n\x0c         information in sensitive program areas, such as the Health Services\n         Division and those located in the Limited Security Area (LSA).\n         While we are not aware of any resulting compromise, these types\n         of weaknesses expose the Department to the risk that sensitive\n         mission and PII information may be compromised. We\n         coordinated with Oak Ridge Office and ORNL officials during our\n         fieldwork. In response to our findings, ORNL officials initiated a\n         number of corrective actions to track hard drives used to process\n         such information. These actions included:\n\n            \xe2\x80\xa2   Notifying ORNL employees of ORNL\xe2\x80\x99s policy that fixed\n                (non-removable) computer hard drives are only to be\n                removed from excessed computers by Campus Support\n                technicians. ORNL is currently working on addressing\n                employee awareness and also anticipates revising its cyber\n                security training on this topic;\n\n            \xe2\x80\xa2   Removing and destroying approximately 1,500 hard drives;\n                and,\n\n            \xe2\x80\xa2   Taking action to implement the Department\xe2\x80\x99s most current\n                guidance and requirements on tracking hard drives used in\n                processing sensitive unclassified information.\n\n         The Office of Inspector General has completed several reviews\n         related to information security, expressing concerns regarding the\n         ability of Department sites to protect sensitive unclassified\n         information. An August 2009 OIG report identified the concern\n         that various Department sites were not encrypting sensitive\n         information contained on desktops. A list of the associated reports\n         is found at Appendix B.\n\n\n\n\nPage 3                                                           Summary\n\x0cDetails of Findings\n\nINADEQUATE            We concluded that ORNL did not have adequate internal\nCONTROLS              controls to effectively encrypt or track and control hard drives that\nOVER                  potentially contain sensitive unclassified information. Computer\nHARD DRIVES           Support technicians and DCSO informed us that hard drives were\n                      removed from computers by unauthorized personnel and, in some\n                      instances, abandoned in various locations. This situation occurred\n                      because some ORNL employees were not aware of the\n                      requirement that only technicians were authorized to remove hard\n                      drives; and ORNL had not implemented effective control\n                      measures. In this regard, officials had not ensured that responsible\n                      employees complied with ORNL internal guidelines or the\n                      Department\xe2\x80\x99s guidance and requirement to encrypt or track and\n                      control, hard drives containing sensitive unclassified information.\n                      This situation increased the potential for the compromise of\n                      sensitive unclassified information.\n\nRecovered             The DCSOs informed us that numerous hard drives had been\nHard Drives           recovered from unoccupied ORNL offices, hallways, docks and\n                      other locations. These hard drives, some from computers used in\n                      sensitive areas, were removed without authorization, abandoned in\n                      various locations and subsequently found by DCSOs and secured.\n                      The identity of the individuals abandoning those hard drives was\n                      unknown to the DCSOs. Although the DCSOs subsequently\n                      controlled and stored the hard drives, none of the DCSOs provided\n                      evidence that the hard drives were formally tracked. To emphasize\n                      this lack of tracking, one DCSO we interviewed estimated\n                      approximately 100 recovered hard drives were in storage, but when\n                      he took us to an adjacent building, we counted only 55 recovered\n                      hard drives. These hard drives have been stored in two locked\n                      rooms for years since being secured from various offices and\n                      laboratories.\n\n                      In order to determine the number of untracked hard drives residing\n                      with the DCSOs, we requested that Laboratory officials conduct a\n                      survey to identify hard drives secured and stored by ORNL which\n                      were no longer in use. As a result of our request, the DCSOs\n                      identified approximately 1,500 hard drives, including the 55\n                      originally identified in our review. After conducting this\n                      assessment, ORNL management took immediate action and\n                      destroyed the 1,500 hard drives in accordance with Department\n                      regulations.\n\n                      The survey results also identified 66 recovered hard drives that\n                      were identified and collected by the DCSO we mentioned\n                      previously. No explanation was ever provided to account for the\n                      additional 11 hard drives. In fact, the survey identified several\n\n\n\nPage 4                                                               Details of Findings\n\x0c                                      other DCSOs with a significant disparity between the estimated\n                                      number of hard drives in storage and those actually recovered, the\n                                      largest discrepancy of which was 159 fewer hard drives collected\n                                      than was originally estimated by the DCSO. The lack of controls\n                                      identified in our report and the disparity noted above raised\n                                      additional concerns regarding the potential for compromised\n                                      information.\n\n\n\n\n                                                                     Hard drive storage\n\n                                      During interviews, several DCSOs acknowledged that certain of\n                                      the hard drives contained PII or opined the likelihood of such. To\n                                      determine whether any of the hard drives contained PII, we\n                                      requested that the Office of Inspector General\xe2\x80\x99s Office of\n                                      Investigations conduct a forensic examination of a hard drive that\n                                      another DCSO indicated was found unsecured. In this case, the\n                                      owner was never known to the DCSO. The forensic examination\n                                      of the hard drive revealed that the hard drive contained sensitive\n                                      unclassified information. Specifically, the examination of the hard\n                                      drive revealed 21 pages of PII, including the name, date of birth,\n                                      and medical information pertaining to an ORNL employee.3 The\n                                      hard drive also contained the individual\xe2\x80\x99s salary/deduction wage\n                                      allocations, which ORNL treats as sensitive unclassified\n                                      information, and assorted scientific research data.\n\n                                      The inspection did not determine whether the personal information\n                                      was generated by the individual on his or her work computer for\n                                      personal use or by ORNL\xe2\x80\x99s Health Services Division, Human\n                                      Resources Directorate, or otherwise maintained by UT-Battelle or\n\n3\n    In accordance with Department policy, we notified the Office of Cyber Security regarding this issue.\n\n\nPage 5                                                                                       Details of Findings\n\x0c         the Department. In accordance with the Department\xe2\x80\x99s Chief\n         Information Officer Guidance CS-38A, \xe2\x80\x9cProtection of Sensitive\n         Unclassified Information, Including Personally Identifiable\n         Information,\xe2\x80\x9d UT-Battelle does not consider personal information\n         stored by individuals about themselves on their assigned\n         workstations or laptops at ORNL to be PII. Therefore, such\n         information is not subject to Department protection requirements\n         for sensitive unclassified information, unless it contains a social\n         security number. ORNL\xe2\x80\x99s policy, \xe2\x80\x9cRequirements for Protected\n         Personally Identifiable Information,\xe2\x80\x9d defines PII as \xe2\x80\x9cAn\n         individual\xe2\x80\x99s first name or first initial and last name in combination\n         with any one or more of the following types of information\n         including, but not limited to, medical, and financial records, etc.\xe2\x80\x9d\n\n         Senior ORNL officials indicated that \xe2\x80\x9cencryption and tracking are\n         not currently required by the ORNL contract.\xe2\x80\x9d The officials\n         further stated that ORNL is in compliance with the current Office\n         of Science\xe2\x80\x99s Program Cyber Security Plan (PCSP), which has not\n         been updated since 2007. However, the Department requires that\n         Departmental elements, including the Office of Science, which\n         manages ORNL, develop cyber security requirements through a\n         Program Cyber Security Plan (PCSP) using a risk-based approach.\n         Specifically, the Office of Science\xe2\x80\x99s PCSP requirement is to\n         implement Department Manual 205.1-2, \xe2\x80\x9cClearing, Sanitization,\n         and Destruction of Information System Storage Media, Memory\n         Devices, and Related Hardware Manual.\xe2\x80\x9d Senior ORNL officials\n         stated that 205.1-2 does not require encryption or tracking of hard\n         drives. However, we noted that Department Manual 205.1-6,\n         \xe2\x80\x9cMedia Sanitization Manual,\xe2\x80\x9d issued in December 2008, requires\n         that storage media no longer in use, previously used to process\n         sensitive unclassified information, must either be protected by\n         approved encryption or tracked and controlled until purged or\n         destroyed.\n\n         According to a senior Headquarters official responsible for\n         maintaining and developing the PCSP for the Office of Science,\n         ORNL is required to implement Department Manual 205.1-2 with\n         consideration of Departmental Guidance CS-11, \xe2\x80\x9cMedia Clearing,\n         Purging, and Destruction Guidance.\xe2\x80\x9d CS-11, issued in January\n         2007, as a part of the Department\xe2\x80\x99s Cyber Security Revitalization\n         Plan, identifies specific guidance concerning the tracking or\n         control of storage media used to process sensitive unclassified\n         information. The senior official stated that if ORNL officials did\n         not implement CS-11, they should have documented that a risk\n         assessment was conducted and formally identified the individual\n         who assumed the risk to not implement the guidance. Oak Ridge\n\n\n\nPage 6                                                  Details of Findings\n\x0c               Office and ORNL officials were unable to provide documentation\n               of the risk assessment conducted, nor could they provide the name\n               or title of the individual accepting responsibility for not\n               implementing Department guidance. The guidance noted in CS-11\n               is similar to the requirements in Department Manual 205.1-6,\n               \xe2\x80\x9cMedia Sanitization Manual,\xe2\x80\x9d in that both require that sensitive\n               information must be tracked and controlled until purged or\n               destroyed. ORNL incorporated the requirements of Department\n               Manual 205.1-6 in its contract in March 2009, but had not included\n               the Manual requirements in its current ORNL Cyber Security Plan.\n               A senior ORNL official from the Office of the Chief Information\n               Officer informed us that, prior to our inspection there had been\n               discussions of possibly encrypting hard drives for sensitive\n               unclassified systems, or identifying systems that may contain such\n               information and tracking the associated hard drives as part of\n               ORNL\xe2\x80\x99s Cyber Security Plan. In September 2009, ORNL officials\n               informed us that they had initiated actions to evaluate the\n               implementation of tracking hard drives used to process sensitive\n               unclassified information.\n\n               In a related Office of Inspector General report issued in\n               August 2009, concerning the protection of sensitive unclassified\n               information, we noted that sites reviewed were not encrypting\n               sensitive information contained on desktops. Additionally, the\n               National Institute of Standards and Technology (NIST) Special\n               Publication 800-111, \xe2\x80\x9cGuide to Storage Encryption Technologies\n               for End User Devices,\xe2\x80\x9d had identified such an encryption practice\n               as a \xe2\x80\x9cbest practice\xe2\x80\x9d and part of an effective risk-based management\n               approach to information protection.\n\nUnauthorized   We reviewed the hard drive database operated by the ORNL\nRemoval of     Campus Support technicians. Our review revealed that 424 hard\nHard Drives    drives were removed by someone other than the authorized\n               technicians during the period of January 2008 to January 2009. Of\n               the 424 hard drives, 193 were from sensitive program areas\n               involved in national security, export control and medical\n               information processing. The review also revealed that many\n               computers had multiple hard drives installed, some up to 18. The\n               removal of hard drives by unauthorized individuals as recognized\n               by Department policy represents a vulnerability.\n\n               During our interviews, three property custodians and one DCSO\n               acknowledged removing the hard drives for use as a storage device\n               or for reuse in other computers. One DCSO informed us of\n               instances in which computers waiting to be excessed were being\n               taken by ORNL employees from unoccupied rooms or hallways.\n\n\n\nPage 7                                                      Details of Findings\n\x0c                  In addition, 2 network administrators informed us that they had\n                  removed 10 hard drives from computers waiting to be excessed\n                  that were once used in sensitive program areas. This was done in\n                  order to reuse them in an internal networking device. When asked\n                  why they removed the hard drives, the administrators indicated\n                  they were unaware of ORNL\xe2\x80\x99s procedures which limits hard drive\n                  removal to Campus Support technicians. ORNL procedure entitled\n                  \xe2\x80\x9cProcedure for Disposition of Computers and Other Items with\n                  Media,\xe2\x80\x9d specifies only ORNL\xe2\x80\x99s Campus Support technicians are\n                  authorized to remove internal hard drives.\n\n                  Senior ORNL officials informed us that many of the hard drives\n                  were removed by non-Campus Support technicians prior to the\n                  issuance of its current policy. They further stated that hard drives\n                  for unclassified computers located in the Limited Security Area\n                  (LSA) must be removed prior to being excessed from the LSA, but\n                  the technicians were incorrectly completing the forms. The\n                  officials also indicated that improvements were made to the\n                  internal procedures, issued between January 2008 and December\n                  2008, clarifying the Campus Support technicians\xe2\x80\x99 roles and\n                  responsibilities in hard drive disposition.\n\nOTHER MATTERS     Although outside the scope of our inspection, a DCSO informed us\n                  of computers being taken by some ORNL employees or\n                  disappearing while waiting to be excessed. During Fiscal Years\n                  2007 and 2008, ORNL\xe2\x80\x99s Property Management Organization listed\n                  11 computers stolen and 39 computers/servers lost (3 of those\n                  reported as lost were subsequently found). The computers were\n                  likely at the end of their useful life and were not of great value, but\n                  their disappearance and the lack of controls raised additional\n                  concerns regarding the potential for compromised information.\n\nRECOMMENDATIONS   Significant and timely corrective actions have been taken by\n                  ORNL to improve security controls for most of the vulnerabilities\n                  we identified; however, additional actions are warranted.\n\n                  We recommend that the Manager, Oak Ridge Office:\n\n                     1. Implement the Department\xe2\x80\x99s requirements concerning\n                        storage media no longer in use and previously used to\n                        process sensitive unclassified information, to protect the\n                        media by approved encryption, or tracking and control until\n                        purged or destroyed.\n\n                     2. Ensure ORNL trains employees on its policy and\n                        procedures regarding removal of computer hard drives.\n\n\n\nPage 8                                                            Recommendations\n\x0cMANAGEMENT AND   In comments on a draft of this report, the Department\xe2\x80\x99s Oak Ridge\nINSPECTOR        Office concurred with the recommendations. Although\nCOMMENTS         management concurred with our recommendation, they took\n                 exception to some of our analysis regarding the requirement to\n                 track or encrypt hard drives; the finding of hard drives in\n                 unoccupied rooms, and the unauthorized removal of hard drives.\n\n                 Management\xe2\x80\x99s comments are included in their entirety in\n                 Appendix C of this report.\n\n                 We consider management\xe2\x80\x99s comments and corrective actions\n                 planned and/or taken responsive to our recommendations. We\n                 have addressed management\xe2\x80\x99s comments below and made\n                 technical changes to the report, as appropriate.\n\n                 Management said that the ORNL sanitization policies are in\n                 compliance with the current Office of Science (SC) Program Cyber\n                 Security Plan (PCSP). The PCSP states, \xe2\x80\x9cSC policy is to\n                 implement DOE M 205.1-2 with consideration of CS-11.\xe2\x80\x9d\n                 Management observed that tracking or encryption of hard drives is\n                 not required. We acknowledge that DOE M 205.1-2 does not\n                 require tracking or encryption of hard drives; however, CS-11 does\n                 require storage media no longer in use, previously used to process\n                 sensitive unclassified information, be tracked and controlled until\n                 purged or destroyed. Furthermore, if ORNL officials considered\n                 but did not implement CS-11, they should have documented the\n                 risk assessment conducted and formally identified the individual\n                 who assumed the risk to not implement the guidance. The Oak\n                 Ridge Office and ORNL officials were unable to provide us that\n                 documentation.\n\n                 Management commented that our reporting of hard drives found in\n                 unoccupied offices is misleading because offices used for storage\n                 were locked. While we agree that several unoccupied offices and\n                 locations used for storage were locked, we were told by DCSOs\n                 (who are responsible for accountability of hard drives) of instances\n                 in which hard drives were collected from unlocked offices and\n                 locations, which the DCSOs subsequently secured. Also, one\n                 DCSO informed us of instances in which computers awaiting\n                 excessing were being taken by ORNL employees from unoccupied\n                 rooms or hallways.\n\n                 Management noted non-instrument technicians removed many\n                 hard drives prior to policy revisions and that some systems in the\n                 LSA had removable hard drives, accounting for some missing hard\n                 drives. Removable hard drives were not listed in our sample.\n\n\n\nPage 9                                  Management and Inspector Comments\n\x0c          Also, we noted that the policy to restrict the removal of hard drives\n          from unclassified systems, including systems in the LSAs, was\n          implemented in October 2005. Consequently, it seems unlikely\n          that hard drives removed from computers by non-technicians prior\n          to October 2005 were part of our data sample. Also, management\n          noted that several boxes of hard drives not associated with\n          computers were turned in by ORNL personnel, indicating the\n          awareness of needed sanitization. The collection of several boxes\n          of hard drives not associated with computers raises additional\n          concerns regarding the lack of controls and the potential for\n          compromised information from other media.\n\n\n\n\nPage 10                           Management and Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     Our review included computer excessing policies and procedures\nMETHODOLOGY   at the Oak Ridge National Laboratory and Department. The\n              majority of our fieldwork was conducted from January through\n              April 2010. Our research, analysis and fieldwork activities\n              included:\n\n                 \xe2\x80\xa2   Interviews with approximately 48 property custodians,\n                     DCSOs, security officials associated with over 30 ORNL\n                     program areas;\n\n                 \xe2\x80\xa2   Review of Department and local policies and regulations\n                     pertaining to internally transferred and excessed computers;\n\n                 \xe2\x80\xa2   Assessment of documents, survey results, and electronic\n                     spreadsheets regarding computers excessed, unaccounted\n                     for hard drives, abandoned hard drives, and lost or stolen\n                     computers;\n\n                 \xe2\x80\xa2   Coordination with the Office of Inspector General\xe2\x80\x99s\n                     Technology Crimes Section to recover information stored\n                     on a recovered and secured hard drive; and,\n\n                 \xe2\x80\xa2   Review of prior Office of Inspector General and\n                     Government Accountability Office reports, and other\n                     related reports.\n\n              This inspection was conducted in accordance with the Council of\n              the Inspectors General on Integrity and Efficiency, \xe2\x80\x9cQuality\n              Standards for Inspections,\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 11                                               Scope and Methodology\n\x0cAppendix B\n\nPRIOR REPORTS   The following are prior related DOE Office of Inspector General\n                reports:\n\n                   \xe2\x80\xa2   \xe2\x80\x9cThe Federal Energy Regulatory Commission\xe2\x80\x99s\n                       Unclassified Cyber Security Program \xe2\x80\x93 2009\xe2\x80\x9d (DOE/IG-\n                       0830, October 2009);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cThe Department\xe2\x80\x99s Unclassified Cyber Security Program \xe2\x80\x93\n                       2009\xe2\x80\x9d (DOE/IG-0828, October 2009);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cProtection of the Department of Energy\xe2\x80\x99s Unclassified\n                       Sensitive Electronic Information\xe2\x80\x9d (DOE/IG-0818, August\n                       2009);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cSecurity Weaknesses in the Handling of Unclassified\n                       Printers and Copiers at the Oak Ridge National Laboratory\xe2\x80\x9d\n                       (INS-L-09-06, S08IS001, May 2009);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cPersonal Property Management at Lawrence Livermore\n                       National Laboratory\xe2\x80\x9d (INS-O-09-03, May 2009);\n\n                   \xe2\x80\xa2   Special Report: \xe2\x80\x9cManagement Challenges at the\n                       Department of Energy\xe2\x80\x9d (DOE/IG-0782, December 2007);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cSecurity Over Personally Identifiable Information\xe2\x80\x9d\n                       (DOE/IG-0771, July 2007);\n\n                   \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over Computer Property at the\n                       Department\xe2\x80\x99s Counterintelligence Directorate\xe2\x80\x9d (DOE/IG-\n                       0762, March 2007); and,\n\n                   \xe2\x80\xa2   \xe2\x80\x9cExcessing of Computers Used for Unclassified Controlled\n                       Information at Lawrence Livermore National Laboratory\xe2\x80\x9d\n                       (DOE/IG-0759, March 2007).\n\n\n\n\nPage 12                                                            Prior Reports\n\x0cAppendix C\n\n\n\n\n______________________________________________________________________________\nPage 13                                                Management Comments\n\x0cAppendix C (continued)\n\n\n\n\n______________________________________________________________________________\nPage 14                                                Management Comments\n\x0cAppendix C (continued)\n\n\n\n\n______________________________________________________________________________\nPage 15                                                Management Comments\n\x0cAppendix C (continued)\n\n\n\n\n______________________________________________________________________________\nPage 16                                                Management Comments\n\x0c                                                                    IG Report No. INS-O-10-03\n\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message clearer to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 586-7013.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                       http://www.ig.energy.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'